So, I have written a REST API using Spring(java), which is secured using Basic Authentication and also responsible for handling the social-logins. Below is the configuration for facebook login.
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//autowired
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public ProviderSignInController providerSignInController() {
return new ProviderSignInController(connectionFactoryLocator(), usersConnectionRepository(),
new FacebookSignInAdapter());
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(NoOpPasswordEncoder.getInstance());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login*", "/signin/**", "/signup/**").permitAll()
.anyRequest().authenticated()
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().csrf().disable()
;
}
@Bean
public ConnectionFactoryLocator connectionFactoryLocator() {
ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry();
registry.addConnectionFactory(new FacebookConnectionFactory(environment.getProperty("facebook.clientId"),
environment.getProperty("facebook.clientSecret")));
return registry;
}
@Bean
public UsersConnectionRepository usersConnectionRepository() {
return new InMemoryUsersConnectionRepository(connectionFactoryLocator());
}
}
Dependency used:
<dependency>
<groupId>org.springframework.social</groupId>
<artifactId>spring-social-facebook</artifactId>
<version>2.0.3.RELEASE</version>
</dependency>
Now my frontend is written using React.js and running at https://localhost:3000. It has a button Signin using Facebook which sends a POST request to https://localhost:8443/signin/facebook. /signin/facebook is the URL provided by Spring-Security. The REST API returns a redirect url, to which the browser is blocking for CORS issue. I understand the CORS and have configured at my backend(that's why frontend is able to send request).
Access to XMLHttpRequest at 'https://www.facebook.com/v2.5/dialog/oauth?client_id=2198xxxxxx91&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8443%2Fsignin%2Ffacebook&state=xxxx' (redirected from 'https://localhost:8443/signin/facebook') from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
So, what is the resolution to this? I googled it, and read somewhere that the CORS is handled by backend, not the frontend. But the backend is already handling the CORS. what should be the configuration for this?